M580 Safety Configuration

Chapter 4 - Safety System Design Consideration 141 X80 DROP MODULES The embedded RIO Scanner Service is used to communicate with Remote I/O adaptor modules which are located in the X80 remote drop. A BMX/BME CRA modules are used to transfer/forward safety messages (Black Channel messages) and are not Safety related To support the new Ethernet backplane and to allow Ethernet based I/O modules to be located in the Remote I/O drops, there is a new Remote I/O drops adaptor module, the BME CRA 312 10. The BME CRA 312 10 is also known as the eX80 performance EIO adapter within an M580 Remote I/O architecture. The existing X80 drop adapter BMX CRA 312 10 are also supported. All CRA modules share similar physical characteristics, each have LED Displays, Rotary Switches and 2 x Device Network ports. The differences between the X80 series CRA adapter modules are: Feature BMX CRA 312 10 BME CRA 312 10 (X80 Performance CRA) (eX80 Performance CRA) Time Stamping 10ms CCOTF Yes Expert Modules Max Analog I/O Yes Max Discrete I/O Service Port NOM, ERT, EHC X-Bus Rack Compatible Ethernet Rack Compatible 256 Rack Extensions Fast & Aux Tasks 1024 Ethernet Only Modules Yes Yes No Yes 1 extension rack Yes No Yes Configuration Training

142 Chapter 4 - Safety System Design Consideration SERVICE PORT The SERVICE port is used to connect external monitoring or configuration tools on the network. Use this port to connect: ➢ Network monitoring tools such as ConnexView or Wireshark. ➢ Non-critical communicating devices, for example HMI or SCADA. ➢ Configuration Software tools such as Redundant M580 Safety or Advantys Configuration Software. ➢ Distributed I/O, in a mixed architecture. This port supports the port mirroring function: In this mode, data traffic that is related to the source port on a network switch is copied to another destination port. This allows a connected management tool to monitor and analyse the port traffic. Note: Do not connect a device with a speed in excess of 100 Mbps to the service port. If the device is configured for a speed that exceeds 100 Mbps, the Ethernet link may not be established between the device and the module through the service port. Moreover, Schneider Electric does not recommend connecting any MES on this port. Device Network Ports Each Remote drop module is equipped with 2 DEVICE NETWORK ports which allow implicit I/O exchanges with a remote I/O scanner. The ports can be implemented in a daisy chain loop or ring architecture if using ConneXium switches. These are described later in this course. INSTALLATION On a X80 I/O drop, the CRA must be installed in Slot 0. COMMUNICATION EXCHANGE The M580 RIO system is based on EtherNet/IP technology. The input data from the Ethernet remote I/O drop is collected and published for the remote scanner. The output modules are updated with the data received from the remote scanner. The remote scanner views the BME CRA 312 10 & BMX CRA 312 10 modules as remote I/O adapters where the exchanges are deterministic, which means that the time it takes to resolve a remote I/O logic scan is predictable. See Also: For more information about EtherNet/IP, log on to www.odva.org or refer to Industrial Communication with EcoStruxure Control Expert training course – EtherNet/IP Chapter Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 143 SAFETY DAISY CHAIN LOOP ARCHITECTURE On the Safety ePAC and each non-interfering CRA module 2 Ethernet ports are used for linking the head and the drops together. These ports are labelled DEVICE NETWORK (ports ETH2 and ETH3). In a simple architecture, an Safety ePAC DEVICE NETWORK port is linked to a CRA drop modules using one port. Additional drop modules can then be \"daisy chained\" from this point: To ensure a high reliability system, cable redundancy can be achieved by looping back to the second DEVICE NETWORK port of the M580 CPU thus creating a daisy chain loop. This kind of architecture is deterministic and ensures high availability of the system, with recovery times less than 50ms. EQUIPMENT INCOMPATIBILITY Do not install more than 1 standalone or 1 redundant system onto a remote I/O network. Failure to follow this instruction can result in injury or equipment damage. Configuration Training

144 Chapter 4 - Safety System Design Consideration CABLE LIMITATIONS Each Ethernet port accepts a standard RJ45 Ethernet cable. The Safety ePAC CPU and the non-interfering CRA remote adapter modules do not have fibre-optic ports. Therefore, the distance to another Ethernet remote I/O drop must be less than 100m using shielded CAT5e or greater (10/100 Mbps) cable. Up to 16 CRA modules can be inserted in such matter: Safety ePAC CPU Max Remote I/O drops BME P58 2040S 8 BME P58 4040S 16 Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 145 OVERCOME LIMITATIONS There are some options available to expand the architecture beyond the 100m segments seen so far. They are the non-interfering modules that can be used inside the safety loop without impact on the PFD and PFH evaluations. These are to use: ➢ BMX NRP 0200 / 0201 - Fibre-optic repeater modules Using NRP modules allows for a fibre optic connection to be used between consecutive X80 I/O drops. This allows for distances up to 15km. ➢ Dual Ring Switches (DRS) Using Dual Ring Switches (DRS) can extend the distance between consecutive Ethernet remote I/O drops. Each Ethernet section is limited to 100m, inserting a DRS will expand this limitation (up to 15 DRS; one DRS counts as 2 EIO drops). Hints & Tips Whilst neither the DRS nor the NRP will be used in this course, they will be covered in more detail in other courses. Configuration Training

146 Chapter 4 - Safety System Design Consideration Another option available is: ➢ BME NOS 0300, Embedded X80 Ethernet Switching module This non-interfering module can be implemented with the Safety ePAC to extend the performance of the system architecture. The BME NOS 0300 helps to create sub-rings of remote I/O and distributed I/O devices to participate on an Ethernet remote I/O network. The embedded X80 Ethernet switching (BME NOS 0300) module: ➢ Can install on the local or remote drop to manage distributed equipment. ➢ Allows a maximum of two eNOS modules on the M580 rack. ➢ Has to be mounted on BME (Ethernet) backplane. ➢ Will achieve acceptable recovery times by limiting each DIO design to a single DIO main ring without sub-rings. ➢ Uses RSTP protocol and will limits the size of the DIO ring to a maximum of 40 switched devices, including eNOS module. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 147 Activity 4 - IMPLEMENT A REMOTE I/O DROP In this activity: • Deploy a Simple Daisy Chain Loop architecture • Implement Safety I/Os as remote I/O drop. 1. Implement Remote drop with Safety I/O modules a. Open previously created application. b. From the Project Browser, double-click the EIO Bus item. c. Previously created application of a remote drop is displayed as shown: d. Double-click on the appropriate slots to add the rest of the Safety I/O modules. Leave its parameters for all of the Safety I/O modules as default. Configuration Training

148 Chapter 4 - Safety System Design Consideration 2. Connect and Transfer the application. a. From EcoStruxure™ Control Expert V15 for Safety, Build the application. b. Connect, and Transfer the application. c. Switch the Safety ePAC controller to RUN state, and verify the drop is online. Note: It is mandatory that Safety ePAC CPU is configured as either an NTP server or as an NTP client, otherwise, the remote I/O modules will not work properly. By default, EcoStruxure™ Control Expert V15 for Safety setup Safety ePAC CPU as NTP Server. For purpose of this training, proceed to next Exercise to make sure the Safety ePAC CPU is setup as the NTP Server. d. Save the application. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 149 Activity 5 - NTP SERVER CONFIGURATION In this activity: • Setup a local NTP Server • Learn how to configure the Safety ePAC CPU as the NTP Server. Instructor Note: This Exercise is for CPU with FW ≤ 3.10. The CPU MUST update its real-time clock and configured as NTP Server for use in Ethernet Remote I/O networking. This Exercise is not necessary if the CPU FW ≥ 3.20. The CPU uses “monotonic” time clock and does not need NTP service in the Remote I/O networking. But, the BM*CRA31210 must be upgraded to FW ≥ 2.6. It is a good practice to have the CPU clock to be updated. UNSTABLE OR LOSS OF TIME SYNCHRONIZATION Server time is inaccurate or unstable, especially if the network uses a Personal Computer as an NTP server. Windows PCs are the most likely to create problems, whereas an industrial dedicated NTP time server is more reliable. Failure to follow these instructions can result in injury or equipment damage. Microsoft® Windows Operating System has an integrated time synchronisation service, installed by default, that can synchronise to an NTP Time Server. Indeed, by manipulating registry settings for the service it can act as both an SNTP client and server to synchronise other network clients. The 'Windows Time' service should be present in the systems service list. The application executable is 'w32time.exe'. The parameter list for w32time can be found in the registry at: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Similar procedure can also be found in Microsoft website: http://support.microsoft.com/kb/314054 Configuration Training

150 Chapter 4 - Safety System Design Consideration 1. Configure Safety ePAC to be the NTP Server a. Double click the embedded Ethernet port of the CPU b. Go to the NTP tab c. Click on the pull-down menu in the NTP field and select NTP Server d. Confirm the selection. The Safety ePAC will enabled and acts as an NTP server. 2. Connect and Transfer the application. a. From EcoStruxure™ Control Expert V15 for Safety, Build the application. b. Connect, and Transfer the application. c. Switch the Safety ePAC controller to RUN state, and verify the drop is online and all Safety I/O modules are health and that no errors are present. d. Save the application. LOSS OF TIME SYNCHRONIZATION During operation of the safety system, do not change the time setting in the NTP server or the CPU. Changing the time during operations can cause a loss of communication and a safety system shutdown. Failure to follow these instructions can result in injury or equipment damage. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 151 DEVICE INTEGRATION Over recent years there has been a large market pressure to optimise integration techniques to allow the End User to benefit from the \"one stop shop\" proposal to allow overall project costs to be reduced whilst offering many other benefits. The initial benefits of Device Integration are: ➢ The device is seen as a part of the system ➢ Shared resources ➢ Common interfaces ➢ Architecture transparency ➢ Consistent tools and environment The benefits to the End User over the complete project life cycle are: ➢ Reduced development time ➢ Reduced commissioning time ➢ Optimisation of Process Control and Energy Consumption ➢ Reduced downtime (diagnostics, maintenance, device replacement) RIO & DIO SCANNER SERVICE Embedded in the Safety ePAC CPU, the RIO Scanner Service: ➢ Supports only specific Ethernet/IP devices (CRA modules) ➢ Is automatically configured by the system ➢ Deterministic (50ms recovery time) ➢ Only in certain M580 CPUs (BME P58 *040) ➢ Available in all Safety ePAC CPU ➢ Offers optimised performance Hints & Tips In the future it will be possible for more devices beyond CRA modules to utilise the RIO Scanner.. Also embedded into all M580 CPUs is the Distributed I/O Scanner Service that allows Distributed Devices to be Integrated into the system architecture. The DIO Scanner Service: ➢ Supports devices using open & standard protocols: - Modbus/TCP - EtherNet/IP ➢ Available in the CPU, or network module (eNOC) if large number of devices is required. Configuration Training

152 Chapter 4 - Safety System Design Consideration FDT / DTM Redundant M580 Safety incorporates the Field Device Tool (FDT) / Device Type Manager (DTM) approach to integrating intelligent Devices into a process control application. Redundant M580 Safety includes an FDT container that interfaces with the DTMs of EtherNet/IP and Modbus/TCP devices. A DTM is a collection of properties that define an EtherNet/IP or Modbus/TCP device. Adding a device to the configuration means adding the device’s DTM to Redundant M580 Safety’s DTM Browser. From the DTM Browser it is possible to open the Device Editor, which can be used to configure the parameters presented by the DTM. Device manufacturers may provide a DTM for each of its EtherNet/IP or Modbus TCP devices. However, if the EtherNet/IP or Modbus TCP device being used does not have its own DTM available, it may be possible to configure the device by: ➢ Configuring a generic DTM provided in Redundant M580 Safety ➢ Importing the device’s EDS file - Redundant M580 Safety will populate DTM parameters based on the contents of the imported EDS file Note: The DTM configuration is saved with the .STU file, the .STA archive and with the .ZEF export format, but NOT with XEF export format. To be able to open a project with DTM, the computer must have the corresponding DTM installed otherwise the DTM configuration is lost. See Also: For further information about FDT / DTM Technology, visit http://www.fdtgroup.org . Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 153 BME NOS 0300 The BME NOS 0300, an embedded X80 Ethernet switching module, can be implemented with the Safety ePAC to extend the performance of the system architecture. The BME NOS 0300 helps to create sub-rings of remote I/O and distributed I/O devices to participate on an Ethernet remote I/O network. The embedded X80 Ethernet switching (BME NOS 0300) module: ➢ Can install on the local or remote drop to manage distributed equipment. ➢ Allows a maximum of two eNOS modules on the M580 rack. ➢ Has to be mounted on BME (Ethernet) backplane. ➢ Will achieve acceptable recovery times by limiting each DIO design to a single DIO main ring without sub-rings. ➢ Uses RSTP protocol and will limits the size of the DIO ring to a maximum of 40 switched devices, including eNOS module. BME NOC 03X1 The BME NOC 0301 and BME NOC 0311 modules are used for integrating isolated distributed device networks into an M580 architecture. There are three Ethernet ports on the front of the module and one backplane port for connection with the Ethernet bus on the rack. The front two device network ports can provide redundant connections to distributed devices via RSTP protocol. The main purpose of the module is to provide I/O scanning services to distributed devices on the device network via: ➢ Modbus/TCP ➢ EtherNet/IP The distributed devices connected to the BME NOC module can be isolated from the RIO network managed by the Safety ePAC CPU. This is achieved by disabling the backplane Ethernet port. Depending on the CPU model, the Safety ePAC CPU can support up to 4 BME NOCs on the local rack. BME NOCs cannot be placed on remote racks. Note: New firmware released July 23rd, 2019 and Control Expert Hot Fix (HF) is required for BME NOC 0301 - PV ≥13, SV ≥2.15; BME NOC 0311- PV ≥14, SV ≥2.15. Important Note: To have 4 eNOCs in the backplane all MUST be the correct PV level or higher. Configuration Training

154 Chapter 4 - Safety System Design Consideration DISTRIBUTED DEVICE CLOUDS A distributed device cloud is a group of distributed devices that are daisy chained or linked to a standard switch. ➢ A group of distributed devices can support RSTP, however it is not a mandatory requirement. A cloud can be connected to the main ring via a DRS/eNOS, a direct connection to an M580 CPU with the DIO Scanner Service or an ethernet module (BME NOC 03x1) in the Local Rack. With the BME NOC (eNOC) modules, integrated distributed devices is separated from the RIO network. This allows for optimum utilization of resources. Daisy chain loops with RSTP protocol are supported. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 155 ECOSTRUXURE™ CONTROL EXPERT V15 FOR SAFETY EVOLUTION Unity Pro Version 8.0 was the start of an evolution that will see greater Device Integration of both Schneider Electric and Partner devices. This will reduce the time and therefore cost to the End User to create and deploy system architectures similar to this: DEVICE INTEGRATION BENEFITS The inclusion of enhanced Device Integration within Redundant M580 Safety will allow the End User to focus on their process and not the automation architecture that is running the process. It will also reduce costs of training, maintenance, spares etc. Having Devices Integrated into Redundant M580 Safety will mean: ➢ One single and easy to use tool for faster design - Featuring fully assisted configuration ➢ One single operation for updating the whole system - One application reference file ➢ Get access to any field data at any time - With applicative libraries to take benefits from Schneider Electric knowledge ➢ DTM access from a single point (Redundant M580 Safety or any FDT based tool) - A full set of Device, Communication and Gateway DTMs ➢ Openness and interoperability. Configuration Training

156 Chapter 4 - Safety System Design Consideration SAFETY AND NON-SAFETY MEMORIES SAFETY MEMORY CELLS ISOLATION The safety memory is physically different from the standard CPU. There is a strict isolation between safe (Safety area) and non-safe memory areas (Process and Exchange area). This means that a non-safe task CANNOT read or write a safe variable or modify the code of the safe task. The variable assignment in those areas is done in the variable editor screen of EcoStruxure™ Control Expert V15 for Safety. ➢ For safety application, unlocated variables will be stored in dedicated Safe Data memory (1024 Kbyte) ➢ For process application, variables will be stored in another data segment called the dedicated Process Data memory (2048 Kbyte) ➢ For interfacing between the two memory areas, exchanging of variables can be done via its Interface connectors: - Inputs interface variables created in this part are exchanged from the process part of the application to the safety part of the application (16 Kbyte) - Outputs interface variables created in this part are exchanged from the safety part of the application to the process part of the application (16 Kbyte) The Data Exchange in SAFE Task are done: ➢ At the BEGINNING for transfer data from Exchange area to Safety area ➢ At the END for transfer data from Safety area to Exchange area The Data Exchange in MAST Task are done: ➢ At the BEGINNING for transfer data from Exchange area to Process area ➢ AT the END for transfer data from Process area to Exchange area Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 157 DATA TRANSFER - SAFETY TO PROCESS There are 3 memory areas inside the Safety ePAC CPU: ➢ Global Data Memory area ➢ Process Data Memory (non-safety) area ➢ Safety Data Memory (safety) area Basically, to transfer data variables between Process and Safety, the setup is done via the \"Effective Parameter\" column in the Data Editor table. Memory independence / isolation is TÜV certified, reason is using “Effective Parameter”, there's no reason to certify memory transfer mechanism. These are the steps to transfer variables from Safety to Process location: ➢ Declare in \"Output Interface\" of Data Editor in the Safety memory area for variables that need to be transferred out of Safety memory area. e.g. \"Safety_Value\" as Integer ➢ Declare in \"Input Interface\" of Data Editor in the Process memory area for variables that need to receive from and into the Process memory area. e.g. \"SData\" as Integer ➢ From the Safe Data Editor table, under column \"Effective Parameter\" of the selected variable, click the ellipsis button to retrieve variable from the Process memory area. ➢ Once this variable is selected, under the \"Effective Parameter\" column of both tables, Process Data Editor and Safe Data Editor, variables will be automatically updated accordingly. Configuration Training

158 Chapter 4 - Safety System Design Consideration Activity 6 - TRANSFER SAFETY TO PROCESS In this activity: • Learn how to transfer data from Safety to Process area. 1. Setup variable to transfer out from Safety area a. From the Project Browser, under the branch Program-SAFE, open Variables & FB Instances. b. Click on Interface tab of the Safe Data Editor. c. Create an output interface connector with variable called Safety_Value of data type INT. Hints & Tips To see only the SAFETY area, right-click on the \"Program-SAFE\" and select menu \"Zoom in\". Select \"Zoom out\" will back to structural view of the current project. 2. Setup variable to receive into Process memory area a. From the Project Browser, under the branch Programs-PROCESS, open Variables & FB Instances. b. Click the Interface tab of the Process Data Editor. c. Create an input interface with variable SData of data type INT. Hints & Tips To see only the PROCESS area, right-click on the \"Program-PROCESS\" and select menu \"Zoom in\". Select \"Zoom out\" will back to structural view of the current project. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 159 3. Configure Effective Parameter column to link and associate the two variables a. From the Project Browser, under the branch Program-SAFE, open Variables & FB Instances. b. Click on Interface tab of the Safe Data Editor. c. From the Safe Data Editor table, under column \"Effective Parameter\" of the selected variable, double-click the field to access the ellipsis button. d. A dialog windows is displayed as shown: e. Select \"PROCESS\", to access the process memory area, from the drop- down menu. f. Select variable \"SData\" from the table list. g. When done, click OK button. h. Observe under the \"Effective Parameter\" column of both tables, Process Data Editor and Safe Data Editor, will be updated accordingly. Configuration Training

160 Chapter 4 - Safety System Design Consideration 4. Build, Connect, Transfer and Test the application a. From EcoStruxure™ Control Expert V15 for Safety, Build, Connect and Transfer the application. b. Run the application. c. Open 2 Animation Tables and set windows to Tile Horizontally for: d. Program-SAFE -> Animation Table - S: TableSafe e. Testing variable: Safety_Value f. Program-PROCESS -> Animation Table - P: TableProcess g. Testing variable: SData h. Test and simulate data value in Animation Table for the Safety memory area and observe data being updated in the Process memory area. i. Modify data value in Animation Table for Process memory area and observe data in the Safety memory area. j. What happened? Why data in Safety area not updated? ______________________________________________________ k. Rectify any error(s). l. When done, Save the application. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 161 DATA TRANSFER - PROCESS TO SAFETY There are 3 memory areas inside the Safety ePAC CPU: ➢ Global Data Memory area ➢ Process Data Memory (non-safety) area ➢ Safety Data Memory (safety) area Basically, to transfer data variables between Process and Safety, the setup is done via the \"Effective Parameter\" column in the Data Editor table. Memory independence / isolation is TÜV certified, reason is using “Effective Parameter”, no reason needed to certify memory transfer mechanism. Following are the steps to transfer variables from Process to Safety location: ➢ Declare in the \"Output Interface\" of Data Editor in the Process memory area for variables that need to be transferred out of Process memory area. e.g. \"PData\" as Integer ➢ Declare in the \"Input Interface\" of Data Editor in the Safety memory area for variables that need to receive from and into the Safety memory area. e.g. \"Process_Value\" as Integer ➢ From the Process Data Editor table, under column \"Effective Parameter\" of the selected variable, click the ellipsis button to retrieve variable from the Safety memory area. ➢ Once this variable is selected, under the \"Effective Parameter\" column of both tables, Process Data Editor and Safe Data Editor, variables will be automatically updated accordingly. Configuration Training

162 Chapter 4 - Safety System Design Consideration Activity 7 - TRANSFER PROCESS TO SAFETY In this activity: • Learn how to transfer data from Process to Safety area. 1. Setup variable to transfer out from Process area a. From the Project Browser, under the branch Programs-PROCESS, open Variables & FB Instances. b. Click on Interface tab of the Process Data Editor. c. Create an output interface connector with variable called PData of data type INT. Hints & Tips To see only the PROCESS area, right-click on the \"Program-PROCESS\" and select menu \"Zoom in\". Select \"Zoom out\" will back to structural view of the current project. 2. Setup variable to receive into Safety memory area a. From the Project Browser, under the branch Program-SAFE, open Variables & FB Instances. b. Click the Interface tab of the Safe Data Editor. c. Create an input interface with variable Process_Value of data type INT. Hints & Tips To see only the PROCESS area, right-click on the \"Program-PROCESS\" and select menu \"Zoom in\". Select \"Zoom out\" will back to structural view of the current project. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 163 3. Configure Effective Parameter column to link and associate the two variables a. From the Project Browser, under the branch Programs-PROCESS, open Variables & FB Instances. b. Click on Interface tab of the Process Data Editor. c. From the Process Data Editor table, under column \"Effective Parameter\" of the selected variable, double-click the field to access the ellipsis button. d. A dialog windows is displayed as shown: e. Select \"SAFE\", to access the safety memory area, from the drop-down menu. f. Select variable \"Process_Value\" from the table list. g. When done, click OK button. h. Observe under the \"Effective Parameter\" column of both tables, Process Data Editor and Safe Data Editor, will be updated accordingly. Configuration Training

164 Chapter 4 - Safety System Design Consideration 4. Build, Connect, Transfer and Test the application a. From EcoStruxure™ Control Expert V15 for Safety, Build, Connect and Transfer the application. b. Run the application. c. Open 2 Animation Tables and set windows to Tile Horizontally for: d. Program-SAFE -> Animation Table - S: TableSafe e. Testing variable: Process_Value f. Program-PROCESS -> Animation Table - P: TableProcess g. Testing variable: PData h. Test and simulate data value in Animation Table for the Process memory area and observe data being updated in the Safety memory area. i. Modify data value in Animation Table for Safety memory area and observe data in the Process memory area. j. What happened? Why data in Process area not updated? _____________________________________________________ k. Rectify any error(s). l. When done, Save the application. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 165 PROCESS SAFETY TIME When designing a Safety Instrumented Function, it is mandatory to define the Process Safety Time and make sure that the function will be executed within this time. According to IEC 61508, part 2, 7.4.3.2.5: The process safety time is defined as the period of between a failure occurring in the EUC (Equipment Under Control) or the EUC control system (with the potential to give rise to a hazardous event) and the occurrence of the hazardous event if the safety function is not performed. PAC CYCLE TIME Inside a standard PAC system, a simple application is basically managed in 3 steps: 1. Inputs Acquisition. The CPU reads all the inputs in its buffer coming from different media (local or remote rack, communication, etc..) 2. Program Execution. The main program – MAST task – is executed. 3. Outputs Update. As a result, from the main program, the outputs are written in the buffer. Then all these values are transmitted to the modules located on different medias (local or remote racks, communication, etc..) For a Safety ePAC, the Safe Task execution MUST be in PERIODIC mode. The PAC cycle must be completed before this time out expires and launches a new cycle. Configuration Training

166 Chapter 4 - Safety System Design Consideration SYSTEM REACTION TIME The System Reaction Time is the sum of the PAC reaction time, plus the reaction times for both the selected sensor (TS) and the selected actuator (TA). TS and TA are device specific. For each safety loop, the system reaction time must be less than the process safety time. System reaction time is illustrated below: For I/O modules on the main rack (with the CPU): ➢ PAC reaction time (local) = TCPU + TI + TO For I/O modules located in a remote rack: ➢ PAC reaction time (remote) = TCPU + TCOMM_IN + TI + TCOMM_OUT +TO RISK OF EXCEEDING THE PROCESS SAFETY TIME Set the maximum CPU SAFE task period by taking into account the process safety time. The CPU SAFE task period must be less than the application process safety time. Failure to follow these instructions can result in death, serious injury, or equipment damage. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 167 CONSIDERATION FOR PROCESS SAFETY TIME For each safety loop, the user will have to validate the compliance of the maximum safety reaction time with the process safety time, including the sensor and actuator characteristics. After commissioning, while running in safe mode, the Safety ePAC CPU is guaranteed to periodically (period configured in the application): ➢ Reaction time for sensor(s) ➢ Read input images from all local and remote Safety I/O modules ➢ Process user safety logic and all the CPU diagnostics ➢ Send logic results to all the local and remote Safety output modules ➢ Reaction time for actuators(s) In case of any internal fault, the CPU will stop to have a consistent communication with the local and remote safety IO module. A fault in a Safety I/O module is considered as a safe information which can be processed by the CPU application. The safe state is \"no consistent communication with the safety output modules\". The maximum CPU safety reaction time is equal to the 2 X SAFE task + FAST task period. Note: The Process Safety Time is determined by your specific safety process. User needs to verify that the safety-related system can perform its safety functions within the Process Safety time. As Safety I/Os are managed by the SAFE task, the PAC Reaction Time is depending on SAFE time cycle. The Process Safety Time is always given for the worst case and is linked to the Watch Dog Time, not the PAC cycle time. Configuration Training

168 Chapter 4 - Safety System Design Consideration SAFETY WATCHDOG The Watchdog application mechanisms have to be carried out to prevent the Reaction Time from exceeding the Safety Time. To achieve this, the Safe Task properties of the Safety ePAC's watchdog period must be set with an appropriate value. Knowing that the application response time must be lower than the process safety time, and that the application response time is lower or equal to 2 times the PAC cycle time (i.e. Safe Task periodic time), the PLC watchdog must be less than half the Process Safety Time. Note: Customer must carefully set the watchdog as it impacts the periodic cycle time, hence the reaction time. RISK OF EXCEEDING THE PROCESS SAFETY TIME Set the maximum CPU SAFE task period by taking into account your process safety time. Your CPU SAFE task period must be less than your project process safety time. Failure to follow these instructions can result in death, serious injury, or equipment damage. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 169 IMPACT OF TASK EXECUTION The safety application in Safety ePAC CPU can only run in PERIODIC mode; cyclic execution is not supported. With its multi-tasking system, the Safety ePAC CPU is able to execute SAFE, MAST, FAST and AUX tasks. The following drawing illustrates the impact of tasks execution of each task in a multi- task system, and depicts the pre-emption of CPU resources depending on the task priority: Note: Execution of Safety Inputs (SDI/SAI) at the Beginning of SAFE task. Execution of Safety Outputs (SDO/SRA) at the End of SAFE task. RISK OF EXCEEDING THE PROCESS SAFETY TIME Set the maximum CPU SAFE task period by taking into account your process safety time. Your CPU SAFE task period must be less than your project process safety time. Failure to follow these instructions can result in death, serious injury, or equipment damage. Each configured task consumes a portion of CPU processing time, or bandwidth. The estimated percentage of CPU bandwidth consumed by a task is the result (or quotient) of the estimated execution time required by a task (ETASK) divided by the configured execution period for that task (TTASK), and can be presented as follows: ➢ Task bandwidth = ETASK / TTASK (Execution Time / Period of Task) The total percentage of CPU bandwidth consumed by an application is the sum of consumed CPU bandwidth percentages for all tasks. Configuration Training

170 Chapter 4 - Safety System Design Consideration RECOMMENDED MINIMUM SAFE TASK PERIOD The SAFE task supports only periodic task execution. Set the SAFE task period to a time period that is greater than the minimum transfer time of SAFE task data. The minimum transfer time of SAFE task data is a function of the size of the data to be transferred by the SAFE task. The SAFE Task Period can be calculated according to the following formula: ➢ Minimum SAFE Task Period = greater of 10 ms or ((0.156 x Data Size) + 2 ms) RECOMMENDED CPU BANDWIDTH For optimal CPU performance, Schneider Electric recommends that the 20% of CPU bandwidth remain idle. Thus, the total percentage of CPU bandwidth consumed by an application should not exceed 80%. The following table presents two applications, and indicates the impact of high priority tasks (FAST and SAFE) on total CPU bandwidth usage: # FAST SAFE MAST AUX0 Total Per Exe BW Per Exe BW Per Exe BW Per Exe BW 1 5ms 1ms 20% 20ms 5ms 25% 50ms 18m 35% 200ms 30m 15% 96% ss 2 7ms 1ms 14% 25ms 5ms 20% 60ms 18m 30% 200ms 30m 15% 79% ss - Per = Task period (TTASK) - Exe = Execution time required for the task (ETASK) - BW = Task bandwidth in percentage Hints & Tips For optimal CPU performance, Schneider Electric recommends that the total percentage of CPU bandwidth consumed by an application not exceed 80%. Modicon M580 Safety

Chapter 4 - Safety System Design Consideration 171 SUMMARY This chapter introduced the initial safety system design considerations when implementing the Modicon M580 Safety ePAC. QUESTIONS The following questions will help to check understanding of the topics covered in this chapter: ➢ What are the different types of I/O architecture possible for Safety ePAC? ➢ In a Safety Ethernet architecture, what are the available option to expand the Ethernet cable limit beyond the 100m? ➢ Can non-safety I/O modules be used in Safety ePAC architecture? ➢ What are the benefits having non-safety device integrate into Safety network? ➢ Explain how data can be transferred from safety to non-safety memory area. ➢ Why is it important to define the Process Safety Time? Configuration Training



Chapter 5 - Safety I/O Modules 173 Chapter 5 - SAFETY I/O MODULES Safety ePAC I/O modules are part of the Safety ePAC system architecture. Design to install locally in the main rack of the Safety CPU or remotely via Ethernet Remote I/O network, closer to the sensors and actuators, thus reducing the wiring costs. The 4 Safety I/O modules described here are able to be installed on existing M340 racks and M580 Ethernet racks, powered by the safety redundant power supply unit. The non- interfering, I/O modules are also introduced here, allowing the system to mix safety and non-safety modules in a safety application. This chapter provides information on how to implement the 4 Safety I/O modules. CONTENTS: Safety I/O Modules .....................................................................................................174 Safety Digital Input Module.........................................................................................184 Safety Digital Output Module......................................................................................196 Safety Relay Output Module.......................................................................................204 Safety Analog Input Module .......................................................................................223 Non-interfering Modules .............................................................................................235 Configuration Training

174 Chapter 5 - Safety I/O Modules SAFETY I/O MODULES The Safety I/O modules are part of the M580 Safety system architecture. Design to install locally in the main rack of the Safety CPU or remotely via Ethernet RI/O network, closer to the sensors and actuators, thus reducing the wiring costs. The M580 Safety system supports: ➢ X80 non-interfering I/O modules, which are used in an M340 system ➢ Current and future Ethernet-based eX80 non-interfering I/O modules, which are used in current M580 system ➢ The Safety I/O modules that are certified by TÜV Rheinland ➢ Add and delete of Safety I/O modules using CCOTF feature. But modify parameters with CCOTF are NOT allowed in Safety The Safety I/O modules can be installed in either Ethernet backplane (BME XBP) or existing X-Bus backplane (BMX XBP). ➢ Support hot swap feature ➢ When use in Safety remote I/O, CPU with firmware ≤ 3.10 MUST configured as an NTP Server or Client; otherwise, modules will not work The M580 Safety controller works with X80 as its safety and non-interfering local and remote I/O modules drops. The Ethernet remote I/O drop rack can only support one extension rack of X80 I/O modules via X-Bus connection. All of the Safety I/O modules (except BMX SRA xxxx) are compliant with Harsh environments such as types 3C2 and 3C3 described in the standard IEC/EN 60721-3-3 or types G3 and GX described in the standard ISA-S71.04. Note: For CPU with FW ≤ 3.10, if Safety I/O modules are installed on X80 RI/O rack , it is mandatory that CPU is configured as either an NTP Server or Client; otherwise, the modules will not work correctly. The Safety RI/O networking uses \"BLACK CHANNEL\" communication and it is NOT COMPATIBILITY with Quantum Safety RI/O \"BLACK CHANNEL\". BUT peer-to-peer communication using \"BLACK CHANNEL\" between M580 Safety and Quantum Safety is COMPATIBILITY. For CPU with FW ≥ 3.20, the safe time synchronization is based on an internal and \"monotonic\" time clock. This does not require NTP time synchronization. The CPU is sharing its safe time with all its local, remote and safe peer-to-peer communication. The CRA module needs FW ≥ 2.60. A monotonic clock is a time source that won't ever jump forward or backward (due to NTP or Daylight Savings Time updates). Monotonic uses Thomas Habets's cross platform \"monotonic clock\" library under the hood. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 175 SAFETY MODULE DEVICE DDT All Safety ePAC I/O modules are managed by its own Device Derived Data Type (Device DDT) via the implicit data exchanges between the CPU and the Safety I/O modules. Data include all its status and diagnostic information. References Description Device DDT BMX SDI 1602 16 Digital Inputs, 24Vdc T_U_DIS_SIS_IN_16 BMX SDO 0802 8 Digital Outputs, 24Vdc, 0.5A T_U_DIS_SIS_OUT_8 BMX SAI 0410 4 Analog Input, 4-20mA T_U_ANA_SIS_IN_4 BMX SRA 0405 4 Relay Output T_U_DIS_SIS_OUT_4 When SAFE task on CPU is not in RUN mode, data exchanged between the CPU and the modules are not updated. The following health status will be set to \"0\": ➢ MOD_HEALTH, ➢ SAFE_COM_STS, and ➢ CH_HEALTH Note: System bits, words and located variables are NOT allowed in safety code section managed by the SAFE task. Dedicated function blocks are available in the Safety library to retrieve system information related to the context of the SAFE task (i.e. operating mode, time management, and error handling). They are only manageable in “Safety” user code throughout: ➢ “S_SYST_READ_TASK_BIT_MX”, and ➢ “S_SYST_RESET_TASK_BIT_MX” All system bits and words are available for all other tasks except the SAFE task. Configuration Training

176 Chapter 5 - Safety I/O Modules MODULE UNIQUE IDENTIFICATION (MUID) All Safety ePAC I/O modules has an unique identification called the \"Module Unique Identification\" (MUID). To avoid any mistake in addressing error, each Safety I/O modules has an unique tagging number in its configuration. The MUID is used to identify the module in the plant. This MUID can be seen from the I/O screen in EcoStruxure™ Control Expert V15 for Safety. This could also be changed by a command from EcoStruxure™ Control Expert V15 for Safety, by selecting menu Build » Renew Ids & Rebuild All. The Device DDT structure related to I/O modules will contain the MUID field: ➢ An array of four 32 bits words; allow identifying each modules ➢ This unique identifier is computed during the first build of the project ➢ User has to verify each Safety I/O modules during commissioning o Can be validated from Control Expert I/O screen, or o From the module’s Device DDT Modicon M580 Safety

Chapter 5 - Safety I/O Modules 177 PROTECT SAFETY I/O MODULE CONFIGURATION Similar to others X80 I/O modules, all Safety I/O modules have to receive a configuration from the main processor. This configuration is generated by the EcoStruxure™ Control Expert V15 for Safety software tool. The setup and configuration parameters of the I/O modules have to be filled by the user in the EcoStruxure™ Control Expert V15 for Safety I/O configuration screen. To avoid any unauthorised modification on Safety I/O modules, a physical BLUE button, located on top of the I/O module, is used to LOCK and UNLOCK the module configuration. The Lock/Unlock mode is not a user mandatory requirement. On module power-up, the module will start-up:: ➢ With its DEFAULT configuration - if only that the module contains no configuration and internal memory is locked. ➢ With its internally STORED configuration - if only that the module's internal existing configuration is locked inside the memory. When the module receives a new configuration from the CPU: ➢ Module will use this new configuration, if its actual configuration is UNLOCKED. ➢ Module will NOT ACCEPT this new configuration, if the configuration is not compliant with the module or the actual existing configuration is LOCKED inside the memory. Locked mode allows user to secure module’s configuration and will not be changed by any mistake. ➢ To LOCK a module, push and hold the BLUE button for more than 3 seconds until the LCK LED flashes fast ➢ To UNLOCK a module, push and hold the BLUE button for more than 3 seconds until the LCK LED flashes fast. Configuration Training

178 Chapter 5 - Safety I/O Modules IMPORTANCE OF LOCK/UNLOCK I/O MODULES Following are important points to take note: ➢ A configuration modification cannot be done on-line; CCOTF not allowed for Safety IO configuration modification. ➢ A LOCKED I/O module cannot accept any other configuration, even at CPU boot time. ➢ Once UNLOCKED, the module accept all configuration at boot time. ➢ If a module does not has the right configuration (because is LOCKED), the safety application will not run properly (Health state is set to bad). ➢ If use \"Renew Ids & Rebuild All\" you must UNLOCK all I/O modules to configure them with the new module ID. ➢ If only use \"Build all\", module's ID will not change. User have to UNLOCK the module that need to be modified with new configuration. ➢ If user do not make any configuration modification but use \"Renew Ids & Rebuild All\", all Safety I/O modules will not run (Health state is set to bad). To perform a safety function in a safe way, the module has to have its configuration \"LOCKED\". In case the module is UNLOCKED, the module will work in the same way and may receive and accept a new configuration that has not validated by the customer. SAFETY MODULE LEDS DIAGNOSTIC Following table shows behaviour of LEDs on all Safety I/O Modules: RUN Err I/O LCK RUN Err I/O LCK Description Blinking Blinking Blinking Blinking Auto-test module at power-on Blinking ON OFF Blinking Auto-test module at power-on has detected an internal fault on input channels. OFF ON OFF OFF Blinking OFF OFF Internal fault ON X X X Configuration by CPU not performed. ON Blinking X ON Flickering X X External fault on input channel detected. ON Flickering X ON OFF X No communication between CPU and module. ON OFF ON OFF Communication not safe and configuration unlocked. OFF OFF ON Communication not safe and configuration locked. X Input channel Internal fault OFF Communication with CPU is OK. Configuration is unlocked. ON OFF ON Communication with CPU is OK. Configuration is locked. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 179 Activity 8 - I/O MODULES PROTECTION In this activity: • Identify the health status of each Safety I/O modules • Identify the Module Unique Identification, MUID • Learn how to lock and unlock the module’s configuration. 1. Download previously created project to Safety ePAC CPU a. Open previously created application. b. Make sure there is no error(s) in the application. Rectify any error(s). c. Connect, Transfer to the CPU and Run the application. d. Make sure the RUN LED on the front panel display of the CPU is lit. e. Rectify any error(s). 2. Identify status of Safety module via Device DDT a. For this exercise, we will look into the Device DDT of the Safety Digital Input Module, BMX SDI 1602. Similar concept applies to all Mx80 Safety I/O modules. b. Goto Program Safety folder from the Project Browser and open the Variables & FB Instances. c. Create a New Animation Table for the Safety DI module, BMX SDI 1602. d. Expand the variable, and inspect the available properties: Configuration Training

180 Chapter 5 - Safety I/O Modules e. Write down the current values for the following parameters: • Lock / Unlock status of the Safety module: • CONF_LOCKED: _____________________ • Module's Unique Identification number (MUID): • MUID[0]: _____________________ • MUID[1]: _____________________ • MUID[2]: _____________________ • MUID[3]: _____________________ 3. Protect Safety I/O module configuration from any changes a. Locate the BLUE button on top of Safety Digital Input module, BMX SDI 1602. Note that all other Safety I/O modules has the same feature. For this exercise, we will work only on the Safety Digital Input module. b. To LOCK the module's configuration, push and hold the BLUE button for more than 3 seconds until the LCK LED flashes fast. c. Release the BLUE button. d. Observe the LCK LED stays ON. RUN Err I/O LCK e. What is the value of the CONF_LOCKED parameter of Safety DI module's Device DDT? • CONF_LOCKED: _____________________ The Safety Digital Input modules, BMX SDI 1602, configuration is now being secured from any further changes by any mistake. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 181 4. Observe the behaviour of CPU when NEW application is downloaded a. Create a NEW project with just only its hardware configuration. b. Build the application and may sure there is no error(s) in the application. Rectify any error(s). c. Connect, Transfer to the CPU and Run the application. DO NOT SAVE THIS PROJECT FILE. d. Observe the ERR LED status on the Safety DI module. RUN Err I/O LCK e. Why the ERR is Flickering? What has happened? A new generation of MUID is created whenever a new Project is created. The module is in fall-back mode. Its internal communication to CPU is not safe and its previous module's configuration is being locked and stored inside the CPU. 5. Compare current MUID with previous status in step 2 a. Goto Program Safety folder from the Project Browser and open the Variables & FB Instances. b. Create a New Animation Table for the Safety DI module, BMX SDI 1602. c. Expand the variable, and inspect the available properties: Configuration Training

182 Chapter 5 - Safety I/O Modules d. Write down the current values for the following parameters: • Lock / Unlock status of the Safety module: • CONF_LOCKED: _____________________ • Module's Unique Identification number (MUID): • MUID[0]: _____________________ • MUID[1]: _____________________ • MUID[2]: _____________________ • MUID[3]: _____________________ e. Observe and compare the status value between current value and the value recorded previously in step 2. f. Are there any differences? Why? 6. Unlock module configuration to accept new parameters a. To UNLOCK a module's configuration, push and hold the BLUE button for more than 3 seconds until the LCK LED flashes fast b. Release the BLUE button. c. Observe the LCK LED is OFF. RUN Err I/O LCK d. What is the value of the CONF_LOCKED parameter? • CONF_LOCKED: _____________________ The Safety Digital Input modules, BMX SDI 1602, configuration is now being unlocked and unprotected. Module will now accept new configuration download from EcoStruxure™ Control Expert V15 for Safety. e. With the current project file, Connect and Transfer the application into the CPU. f. Run the application. g. Observe the Device DDT and LEDs status of the Safety DI module. Any errors from the Safety DI module? Why? With the module being UNLOCKED, new configuration (include new MUID) can be downloaded and accepted by the Safety I/O module. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 183 7. Restore CPU back to its original configuration a. Close the current EcoStruxure™ Control Expert V15 for Safety project file. DO NOT SAVE THIS PROJECT FILE. b. Return back to original project. Open previously created project file. c. Connect and Transfer the application to the CPU. d. Run the application.. e. Make sure the RUN LED on the front panel display of the CPU is lit. f. Rectify any error(s). g. When finished, close the EcoStruxure™ Control Expert V15 for Safety. Configuration Training

184 Chapter 5 - Safety I/O Modules SAFETY DIGITAL INPUT MODULE BMX SDI 1602 - 16 DI 24VDC MODULE The Safety Digital Input module, BMX SDI 1602, is a 16-bits non-electrical isolated digital input module. The following are its characteristics: ➢ 16 digital inputs, 24 Vdc; non-electrically isolated ➢ SIL 3 and Cat 2 / PLd is achieved with one input channel (1oo1D evaluation) ➢ SIL 3 and Cat 4 / PLe is achieved with two input channels (1oo2 evaluation) ➢ Suitable for switches 2 or 3 wire proximity sensors ➢ 24 Vdc protected (VS1 and VS2) sensor power supply provided by group of 8 channels ➢ Configurable diagnostic functions: ➢ Open-circuit detection – wire cut or broken ➢ Short-circuit detection to 0V ground ➢ Short-circuit detection to 24 Vdc via VS1 or VS2 ➢ Short-circuit detection between channels via VS1 or VS2 ➢ Sensors with external power supply can be monitored ➢ Status LED display for each channel ➢ Configuration in running mode supported (CCOTF) The module has a 1oo2 Internal Architecture that consists of 2 built-in channels circuitry; each can execute its own safety function. Note: The diagrams in the manual are recommended only and if followed as shown will achieve the nominated level of safety in accordance with the design standard adopted. For a design following ISO13849, it is possible to use the M580 Safety modules for different architectures such as Cat 1 and Cat 3 however a safety assessment of the complete system by a suitably qualified party shall be undertaken in accordance with ISO13849 to ensure the system meets the required level of safety. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 185 1OO2 INTERNAL ARCHITECTURE The BMX SDI 1602 module has a 1oo2 Internal Architecture. Internally consist of 2 built-in channels that are being process and monitored. Each channel can execute the safety function by itself. ➢ If one channels fails dangerously, the other executes the safety function ➢ If one channel has a safe failure, the safety function is executed and a spurious trip then follows When internal fault detected, the module set the input value to 0 and the parameter ”IC“ (Invalid Channel) will be set to 1. In order to achieve SIL 3 and Cat 4/PLe, 1oo2 evaluation, two input channels are used: ➢ Pair channel 1 (Input 0 rank A) with channel 2 (Input 0 rank B) ➢ Pair channel 3 (Input 1 rank A) with channel 4 (Input 1 rank B) ➢ and so on... Configuration Training

186 Chapter 5 - Safety I/O Modules TERMINAL BLOCK The Safety Digital Input module can be used with: ➢ BMX FTB 2000 - 20 points, cage clamp terminal block ➢ BMX FTB 2010 - 20 points, screw clamp terminal block ➢ BMX FTB 2020 - 20 points, spring type terminal block There are 2 groups of 8 digital inputs with no isolation between them. The terminal block cannot be removed while the process is running. Not allowed to remove terminal block when is powered (required to isolate the 24 Vdc to the I/O module). It is recommended to use a process power supply which does not recover automatically after a disjunction; for example the 24 Vdc 10 A, ABL8 RPS24100 in manual mode. Pin Description Pin Pin Description Number Input 0 (rank A) 21 Input 0 (rank B) Input 1 (rank A) 43 Input 1 (rank B) Input 2 (rank A) 65 Input 2 (rank B) Input 3 (rank A) 87 Input 3 (rank B) Input 4 (rank A) 10 9 Input 4 (rank B) Input 5 (rank A) 12 11 Input 5 (rank B) Input 6 (rank A) 14 13 Input 6 (rank B) Input 7 (rank A) 16 15 Input 7 (rank B) VS1 Power Supply 18 17 VS2 Power Supply 24V Power Supply 20 19 0V Note: Module will not start without an external 24 Vdc. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 187 SENSORS POWER SUPPLY CONNECTIONS There are two possible methods of power supply connection to the field sensors: ➢ Method 1: o Customer can use external power supply directly connect to supply the field sensors o Using external power supply does not allow detecting short circuit with 24 Vdc and cross-circuit between other lines on external wiring Configuration Training

188 Chapter 5 - Safety I/O Modules ➢ Method 2: o Customer can use monitored VS power supply directly from the module to supply the field sensors o VS1 has to be wired and assigned to input channels 0 to 3 (rank A and B) o VS2 has to be wired and assigned to input channels 4 to 7 (rank A and B) Note: The principle is to provide power to the sensors, by group of 8 channels. VS 1 for channels 0 to 3 (Rank A & B), and VS 2 for channels 4 to 7 (Rank A & B). These power outputs periodically pulses to OFF with a period less than 1 seconds and with duration less than 1 ms. Modicon M580 Safety

Chapter 5 - Safety I/O Modules 189 DIAGNOSTIC FUNCTIONS The Safety Digital Input module has a configurable diagnostic functions. The fault detection and monitoring can be Enabled or Disabled via the EcoStruxure™ Control Expert V15 for Safety I/O screen for the following group of faults: ➢ Fault 1: o Open-circuit detection by wire cut o Short-circuit detection to 0 V ground ➢ Fault 2: o Short-circuit detection to 24 Vdc via terminal VS1 and VS 2 o Short-circuit detection between channels via terminal VS 1 and VS 2 Configuration Training

190 Chapter 5 - Safety I/O Modules FAULT DETECTION CIRCUIT The module is able to diagnose 2 type of wiring faults: ➢ Fault 1: Open wire or short circuit to ground o Diagnostic is performed with a period less than 10ms o To detect, add in parallel an optional 33KΩ resistor across dry contact of sensor ➢ Fault 2: Short circuit to 24 Vdc or cross-circuit between other lines o Diagnostic is performed with a period less than 1s o To detect, sensors need to use monitored power from VS1 and VS2. These power supply outputs periodically pulses to OFF with a period less than 1s and with duration less than 1 ms. Installed in each input channels: 33KΩ resistor in parallel Schottky diode in series Can be deactivated in EcoStruxure™ Control Expert V15 for Safety, in case user don't want to install resistor. STATEMENT OF HAZARD E.G. UNGUARDED MACHINERY CAN CAUSE SERIOUS INJURY When diagnostic is not available or used, customer is responsible to implement appropriate additional diagnostics or avoid dangerous fault which could occurs on external wiring. Failure to follow these instructions can result in death, serious injury, or equipment damage. Modicon M580 Safety